Java’s new “very high” security mode can’t protect you from malware

Fix that was supposed to make malware attacks harder can be easily circumvented.

Security researchers have uncovered a newly discovered bug in Oracle's Java framework that allows attackers to bypass important security protections designed to prevent malware attacks.

The security improvements were introduced in Java 7 Update 10, and they came after a spate of in-the-wild attacks exploited fully patched versions of Java. Those allowed crooks to surreptitiously install malware on the computers of unsuspecting people using Java browser plugins. By default, the change required end users to manually allow the execution of Java code not digitally signed by a trusted authority. Users also had the ability to prevent any unsigned Java applet from running at all. Some security experts praised Oracle for adding the feature because it promised to drastically reduce the success of attacks that exploit security bugs in Java.

"Unfortunately, the above is only a theory," security researcher Adam Gowdiak wrote on Sunday, referring to the way the protections are supposed to block untrusted code from running on end-user computers. "In practice, it is possible to execute an unsigned (and malicious!) Java code without a prompt corresponding to security settings configured in Java Control Panel."

Oracle representatives didn't immediately respond to an e-mail seeking comment for this post. In addition to shoring up the quality of the Java code base, many security professionals have called on Oracle to communicate more quickly and effectively when it learns of new vulnerabilities in recent versions of its software.

As a result of the vulnerability, Gowdiak wrote in an e-mail posted to the Bugtraq mail list, "unsigned Java code can be successfully executed on a target Windows system regardless of the four Java Control Panel settings." He said Security Explorations, the Poland-based security firm he runs, has submitted proof-of-concept attack code to Oracle. It successfully overrides the protections on a fully patched Windows 7 machine that's configured to run Java 7 Update 11 with the "very high" security setting.

* on a serious note, its usage with applets continues to thrive in certain sectors. My GF's kid is in a school that forces compulsory use of fantastically shitty software, that must be installed on students laptops, a lot of which is Java-based.

One such shitty program they enforce is the usage of an email program that has a web-based client, using an applet interface. Not only is it just plain awful ( it's as if the same demented villains who created Lotus Notes smoked bath salts baked in DMT with a side of crack thrown in for extra flavor and then wrote this program ), but if they refuse to use it, they are threatened with fail grades for all classes. Now, let's contemplate a small town school's IT department.... and some third-party piece of shit software.... who's client is a java applet... I set him up to run a VM for doing school work. All his personal stuff is backed up weekly and the VM reloaded from a clean image as often.

How does Java's security issues compare to Flash's security issues from - when was it? - last year?

Flash barely gives you any real control over the target machine, so for any serious exploit, you need to find a way to execute arbitrary code, which is getting harder and harder on modern OSes, and can only target specific OSes or even specific OS versions. Java, on the other hand, has built-in features that essentially gives you full control over a machine, and the idea was that if the security model is enforced correctly, it should be impossible to use the dangerous features from a Web applet.

The thing is, it seems that it's being enforced very well. So if you find a way to bypass these security features, you get an easy access to anything on the machine. Plus, it's platform-independent.

* on a serious note, its usage with applets continues to thrive in certain sectors. My GF's kid is in a school that forces compulsory use of fantastically shitty software, that must be installed on students laptops, a lot of which is Java-based.

My girlfriend is Danish, and like all Danes, has the curse of Java haunting her. Danes have some sort of "ebox" official mailbox, where messages about tax, salary and other things go, as part of a paperless session. So far, so good.. but it seems to feature not just a one-time pad* but requires use of a java applet.. argh.

Since I don't want to get all Powdered Toast Man on her computer, and set up a browser with java in a VM, I suggested that she use a different browser just for that, and disable Java in her main browser, for now. Still though, ick.

* Not actually a terrible idea, they're still rather effective, but it does have an exciting WWII vibe to it.

You know what is going to happen? this is going to leak to the mainstream, and I am going to get tons of panicked calls when a JavaSCRIPT error happens.

My supervisor (who heads IT) keeps wondering if our site is going to break if they turn off Java, thinking that it's the same, so good luck with that! I think we've explained it 5 or 6 times that they aren't the same thing, and lo and behold, a few days later, something else comes up and we're getting asked about it again. Too bad they didn't name it something else....

Just down tools on all the current projects, and go through Java with a fine tooth comb.

Why? Because you're on the very tip of "dog bites man" in headline terms. In fact, many of us would quite like to see the headline "Java security not breached for a fortnight" - it would be a welcome change.

This may be obvious to everyone, but if you have kids or family members that play Minecraft, make sure to disable the Java plugin n their browsers.... A local installation of the JRE is likely safe enough as long as the browser integration is removed and people practice safe downloading.

At this point you have to wonder if the problem is, a) that the Java team is so chronically undermanned and underfunded that they don't have time to do a competent job, or b) Oracle is taking the oft-used corporate tack of manning an unloved department with interns and newbies, managed by the least-liked manager they can't fire for political reasons.

Question for experts: What's the best (and easiest) way to set up a securely sandboxed browser (Chrome or Firefox) in Windows 7 x64 so it can use Java?

I ask because by damn I'm going to fix this now for my family, but removing Java isn't an option (As mentioned many times Java w/ browser integration is compuIsory in Denmark to access any kind of banking or public service). I could set up an entire VM obviously (which I've done for myself as an interim solution), but it'd be a lot of work to do on all their computers, and odds are it'd be too complex for them to remember to use. Ideally I need to simply give them a shortcut on their Desktop that I can tell them to use for NemID as it's called.

I ask because by damn I'm going to fix this now for my family, but removing Java isn't an option (As mentioned many times Java w/ browser integration is compuIsory in Denmark to access any kind of banking or public service). I could set up an entire VM obviously (which I've done for myself as an interim solution), but it'd be a lot of work to do on all their computers, and odds are it'd be too complex for them to remember to use.

If you used something using free software, you could just build the VM once and copy it to each computer- that's the joy of VMs.

..then did some tweaking to ensure that it was all set up nice and DKish*, had a working Java and so forth, and that what needed clicking was obvious.. then set up a link to launch it in VMWare player with a name like "safe ebox" or something?

It still involves some effort on your part, but you'd only need to get it right once, and then you could stick it on a USB key/dropbox/whatever and deploy as needed.

Just off the top of my head, anyway, food for thought. HTH etc..

* I am sure that Danish is perfectly lovely, it just turns my brain inside-out a bit

1) (BEST): If you have a need for Java, switch to Linux (Kubuntu, say), install OpenJDK, and simply don't install the browser plugin AT ALL. On Linux, the browser plugin is not installed by default, you have to actually search for it and manually install it. Poof! Problem goes away.

2) (Sort of Meh): If you're determined to keep Windows, and you have to use Java because your country requires its use in banking software, go out and buy a little NetBook, install Java on it, and ONLY use that NetBook to access your bank accounts. Cost: $200. Poof! Problem goes away (because you're not accessing random websites that could infect you -- you only use the netbook for banking).

3) (Kinda sad): If you're a Windows user who doesn't like Linux OR Java and doesn't need Java to do banking, you might as well uninstall it. I don't think there's an OpenJDK for Windows out there, and Oracle's implementation kinda sucks. You might be able to use a third party JRE, like IBM's Jikes, if you decide you want to run some Java code, however.

Question for experts: What's the best (and easiest) way to set up a securely sandboxed browser (Chrome or Firefox) in Windows 7 x64 so it can use Java?

I ask because by damn I'm going to fix this now for my family, but removing Java isn't an option (As mentioned many times Java w/ browser integration is compuIsory in Denmark to access any kind of banking or public service). I could set up an entire VM obviously (which I've done for myself as an interim solution), but it'd be a lot of work to do on all their computers, and odds are it'd be too complex for them to remember to use. Ideally I need to simply give them a shortcut on their Desktop that I can tell them to use for NemID as it's called.

At least in FF 18, Firefox no longer even shows the Java plug-in in the add-ins list. If you hit a site with Java it gives you all kinds of warnings. If you are persistent you can enable it though. Not 100% certain this is the same in the release version though.

1) (BEST): If you have a need for Java, switch to Linux (Kubuntu, say), install OpenJDK, and simply don't install the browser plugin AT ALL. On Linux, the browser plugin is not installed by default, you have to actually search for it and manually install it. Poof! Problem goes away.

2) (Sort of Meh): If you're determined to keep Windows, and you have to use Java because your country requires its use in banking software, go out and buy a little NetBook, install Java on it, and ONLY use that NetBook to access your bank accounts. Cost: $200. Poof! Problem goes away (because you're not accessing random websites that could infect you -- you only use the netbook for banking).

3) (Kinda sad): If you're a Windows user who doesn't like Linux OR Java and doesn't need Java to do banking, you might as well uninstall it. I don't think there's an OpenJDK for Windows out there, and Oracle's implementation kinda sucks. You might be able to use a third party JRE, like IBM's Jikes, if you decide you want to run some Java code, however.

Oh, and Oracle's kinda crap lately, aren't they?

Switch to Linux just because of Java? Seems a bit drastic.

If you're going to go to all that trouble to not bother installing the plugin anyway, why not do the same on Windows? The plugin can be disabled in each of the major browsers.

Oracle can't rewrite Java. It's not even close to possible. You can complain all you want, but it's never going to happen, and you might as well stop now. The same people who worked on it at Sun are working on it now, and Sun was no better at this.

One of Java's main features is 100% backward compatibility. Oracle can't remove features that no-one in their right mind would still use because it would break compatibility with software written in 1997. It's a very large runtime environment. Once they do that, developers will desert Java in droves. If my code isn't guaranteed compatible, and I have to comb it line by line for issues, why would I not - finally - look at alternatives?

Indeed, by introducing compatibility issues through rewriting, you actually force people onto earlier, less secure versions. If Minecraft breaks on Java 7 update 12, people will stay on 7u11 to run it. I'm sure plenty of people still have Java 6 - or even earlier - installed.

You can argue the point around that, and I certainly think there should have been more discussion, but today it's a hallmark of Java - that it runs every Java program every written, in the same way on every platform.

No, the only way forward that I can see is some kind of process isolation for Java applets. Something like the very-low-integrity level IE10. Does anyone know if this is a problem on IE10 on Windows 8? I'm sure the exploit works, but does the process isolation mitigate the attack to the point where it can't do any harm?

1) (BEST): If you have a need for Java, switch to Linux (Kubuntu, say), install OpenJDK, and simply don't install the browser plugin AT ALL. On Linux, the browser plugin is not installed by default, you have to actually search for it and manually install it. Poof! Problem goes away.

2) (Sort of Meh): If you're determined to keep Windows, and you have to use Java because your country requires its use in banking software, go out and buy a little NetBook, install Java on it, and ONLY use that NetBook to access your bank accounts. Cost: $200. Poof! Problem goes away (because you're not accessing random websites that could infect you -- you only use the netbook for banking).

3) (Kinda sad): If you're a Windows user who doesn't like Linux OR Java and doesn't need Java to do banking, you might as well uninstall it. I don't think there's an OpenJDK for Windows out there, and Oracle's implementation kinda sucks. You might be able to use a third party JRE, like IBM's Jikes, if you decide you want to run some Java code, however.

Oracle can't rewrite Java. It's not even close to possible. You can complain all you want, but it's never going to happen, and you might as well stop now. The same people who worked on it at Sun are working on it now, and Sun was no better at this.

I said the short version of this within the first like what, 20 posts? I mean, this is getting in the mainstream news, but I know I'm not the only person here over, oh I dunno, 15. When has Java NOT had these kinds of problems?

OTD Razor wrote:

Switch to Linux just because of Java? Seems a bit drastic.

If you're going to go to all that trouble to not bother installing the plugin anyway, why not do the same on Windows? The plugin can be disabled in each of the major browsers.

Am I missing something here?

Linux fanboyism, I suspect. Who else would recommend either dumping OS or buying a computer for the SOLE PURPOSE of using Java with even half-hearted sincerity?

1) (BEST): If you have a need for Java, switch to Linux (Kubuntu, say), install OpenJDK, and simply don't install the browser plugin AT ALL. On Linux, the browser plugin is not installed by default, you have to actually search for it and manually install it. Poof! Problem goes away.

2) (Sort of Meh): If you're determined to keep Windows, and you have to use Java because your country requires its use in banking software, go out and buy a little NetBook, install Java on it, and ONLY use that NetBook to access your bank accounts. Cost: $200. Poof! Problem goes away (because you're not accessing random websites that could infect you -- you only use the netbook for banking).

3) (Kinda sad): If you're a Windows user who doesn't like Linux OR Java and doesn't need Java to do banking, you might as well uninstall it. I don't think there's an OpenJDK for Windows out there, and Oracle's implementation kinda sucks. You might be able to use a third party JRE, like IBM's Jikes, if you decide you want to run some Java code, however.

What does Oracle have against secure Java? Is it some ideological thing, like they just hate security? Or did they can all the competent developers after they bought Sun?

The rumors I am hearing (from ex-Sun veterans) is precisely that - Oracle don't want to invest in Java; they only invest because they must, which means - they invest as little as possible (and as a side-effect, anyone half-competent runs away from the Java team).Sad.